Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56842

RejectedAccessException for constructor despite being whitelisted

    Details

    • Similar Issues:

      Description

      As part of a groovy Jenkinsfile pipeline, we have a library function (pulled in via a pipeline library) that does the following (with the appropriate import):

      @NonCPS
      String generateTemplate(final String src, final Map variables) {
       def engine = new GStringTemplateEngine()
       return engine.createTemplate(src).make(variables).toString()
      }

      We have a script approval for new GStringTemplateEngine in the scriptApproval.xml (which is also present in the script approval console).

      <string>new groovy.text.GStringTemplateEngine</string>
      

      However, when executed, the following error occurs:

      Scripts not permitted to use new groovy.text.GStringTemplateEngine. 
      
       [Pipeline] End of PipelineGitHub has been notified of this commit's build result
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new groovy.text.GStringTemplateEngine
       at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectNew(StaticWhitelist.java:184)
       at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onNewInstance(SandboxInterceptor.java:170)
       at org.kohsuke.groovy.sandbox.impl.Checker$3.call(Checker.java:198)
       at org.kohsuke.groovy.sandbox.impl.Checker.checkedConstructor(Checker.java:203)
       at org.kohsuke.groovy.sandbox.impl.Checker$checkedConstructor$1.callStatic(Unknown Source)
       at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
       at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
       at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:214)
       at templating.generateTemplate(templating.groovy:5)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93)
       at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
       at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213)
       at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022)
       at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42)
       at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
       at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
       at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:158)
       at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
       at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:155)
       at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:156)
       at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:160)
       at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
       
      

      Clicking the link to add the approval seems to have no effect (the approval is already in the list and clicking the approve does not change the behaviour).

      The same has been tried with having the approval not previously present in the list, and with other template engine classes without success.

      This functionality was working with older versions of the plugins taken on 18th March 2019.

      Has anything changed (e.g. with the recent security updates) that would require a different approach/approval for this functionality, or is this symptomatic of a bug?

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              abayer Andrew Bayer
              Reporter:
              emlyn Emlyn Whittick
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: